2 * Copyright (c) 1995 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
40 struct krb5_kx_context
{
42 krb5_keyblock
*keyblock
;
44 krb5_principal client
;
45 krb5_log_facility
*log
;
49 typedef struct krb5_kx_context krb5_kx_context
;
51 #define K5DATA(kc) ((krb5_kx_context*)kc->data)
52 #define CONTEXT(kc) (K5DATA(kc)->context)
59 ksyslog(krb5_context context
, krb5_error_code ret
, const char *fmt
, ...)
60 __attribute__((__format__(__printf__
, 3, 0)));
63 ksyslog(krb5_context context
, krb5_error_code ret
, const char *fmt
, ...)
70 msg
= krb5_get_error_message(context
, ret
);
73 aret
= vasprintf(&str
, fmt
, va
);
76 syslog(LOG_ERR
, "%s: %s", aret
!= -1 ? str
: "(nil)", msg
);
78 krb5_free_error_message(context
, msg
);
84 * Destroy the krb5 context in `c'.
88 krb5_destroy (kx_context
*kc
)
90 if (K5DATA(kc
)->keyblock
)
91 krb5_free_keyblock (CONTEXT(kc
), K5DATA(kc
)->keyblock
);
92 if (K5DATA(kc
)->crypto
)
93 krb5_crypto_destroy (CONTEXT(kc
), K5DATA(kc
)->crypto
);
94 if (K5DATA(kc
)->client
)
95 krb5_free_principal (CONTEXT(kc
), K5DATA(kc
)->client
);
97 krb5_free_context (CONTEXT(kc
));
98 memset (kc
->data
, 0, sizeof(krb5_kx_context
));
103 * Read the authentication information from `s' and return 0 if
104 * succesful, else -1.
108 krb5_authenticate (kx_context
*kc
, int s
)
110 krb5_auth_context auth_context
= NULL
;
112 krb5_principal server
;
113 const char *host
= kc
->host
;
115 ret
= krb5_sname_to_principal (CONTEXT(kc
),
116 host
, "host", KRB5_NT_SRV_HST
, &server
);
118 krb5_warn (CONTEXT(kc
), ret
, "krb5_sname_to_principal: %s", host
);
122 ret
= krb5_sendauth (CONTEXT(kc
),
128 AP_OPTS_MUTUAL_REQUIRED
| AP_OPTS_USE_SUBKEY
,
136 if(ret
!= KRB5_SENDAUTH_BADRESPONSE
)
137 krb5_warn (CONTEXT(kc
), ret
, "krb5_sendauth: %s", host
);
141 ret
= krb5_auth_con_getkey (CONTEXT(kc
), auth_context
,
142 &K5DATA(kc
)->keyblock
);
144 krb5_warn (CONTEXT(kc
), ret
, "krb5_auth_con_getkey: %s", host
);
145 krb5_auth_con_free (CONTEXT(kc
), auth_context
);
149 ret
= krb5_crypto_init (CONTEXT(kc
), K5DATA(kc
)->keyblock
,
150 0, &K5DATA(kc
)->crypto
);
152 krb5_warn (CONTEXT(kc
), ret
, "krb5_crypto_init");
153 krb5_auth_con_free (CONTEXT(kc
), auth_context
);
160 * Read an encapsulated krb5 packet from `fd' into `buf' (of size
161 * `len'). Return the number of bytes read or 0 on EOF or -1 on
166 krb5_read (kx_context
*kc
,
167 int fd
, void *buf
, size_t len
)
169 size_t data_len
, outer_len
;
171 unsigned char tmp
[4];
175 l
= krb5_net_read (CONTEXT(kc
), &fd
, tmp
, 4);
180 data_len
= (tmp
[0] << 24) | (tmp
[1] << 16) | (tmp
[2] << 8) | tmp
[3];
181 outer_len
= krb5_get_wrapped_length (CONTEXT(kc
),
182 K5DATA(kc
)->crypto
, data_len
);
185 if (krb5_net_read (CONTEXT(kc
), &fd
, buf
, outer_len
) != outer_len
)
188 ret
= krb5_decrypt (CONTEXT(kc
), K5DATA(kc
)->crypto
,
189 KRB5_KU_OTHER_ENCRYPTED
,
190 buf
, outer_len
, &data
);
192 krb5_warn (CONTEXT(kc
), ret
, "krb5_decrypt");
195 if (data_len
> data
.length
) {
196 krb5_data_free (&data
);
199 memmove (buf
, data
.data
, data_len
);
200 krb5_data_free (&data
);
205 * Write an encapsulated krb5 packet on `fd' with the data in `buf,
206 * len'. Return len or -1 on error.
210 krb5_write(kx_context
*kc
,
211 int fd
, const void *buf
, size_t len
)
215 unsigned char tmp
[4];
218 ret
= krb5_encrypt (CONTEXT(kc
), K5DATA(kc
)->crypto
,
219 KRB5_KU_OTHER_ENCRYPTED
,
222 krb5_warn (CONTEXT(kc
), ret
, "krb5_write");
226 outlen
= data
.length
;
227 tmp
[0] = (len
>> 24) & 0xFF;
228 tmp
[1] = (len
>> 16) & 0xFF;
229 tmp
[2] = (len
>> 8) & 0xFF;
230 tmp
[3] = (len
>> 0) & 0xFF;
232 if (krb5_net_write (CONTEXT(kc
), &fd
, tmp
, 4) != 4 ||
233 krb5_net_write (CONTEXT(kc
), &fd
, data
.data
, outlen
) != outlen
) {
234 krb5_data_free (&data
);
237 krb5_data_free (&data
);
242 * Copy from the unix socket `from_fd' encrypting to `to_fd'.
243 * Return 0, -1 or len.
247 copy_out (kx_context
*kc
, int from_fd
, int to_fd
)
252 len
= read (from_fd
, buf
, sizeof(buf
));
256 krb5_warn (CONTEXT(kc
), errno
, "read");
259 return krb5_write (kc
, to_fd
, buf
, len
);
263 * Copy from the socket `from_fd' decrypting to `to_fd'.
264 * Return 0, -1 or len.
268 copy_in (kx_context
*kc
, int from_fd
, int to_fd
)
270 char buf
[33000]; /* XXX */
274 len
= krb5_read (kc
, from_fd
, buf
, sizeof(buf
));
278 krb5_warn (CONTEXT(kc
), errno
, "krb5_read");
282 return krb5_net_write (CONTEXT(kc
), &to_fd
, buf
, len
);
286 * Copy data between `fd1' and `fd2', encrypting in one direction and
287 * decrypting in the other.
291 krb5_copy_encrypted (kx_context
*kc
, int fd1
, int fd2
)
297 if (fd1
>= FD_SETSIZE
|| fd2
>= FD_SETSIZE
) {
298 krb5_warnx (CONTEXT(kc
), "fd too large");
306 ret
= select (max(fd1
, fd2
)+1, &fdset
, NULL
, NULL
, NULL
);
307 if (ret
< 0 && errno
!= EINTR
) {
308 krb5_warn (CONTEXT(kc
), errno
, "select");
311 if (FD_ISSET(fd1
, &fdset
)) {
312 ret
= copy_out (kc
, fd1
, fd2
);
316 if (FD_ISSET(fd2
, &fdset
)) {
317 ret
= copy_in (kc
, fd2
, fd1
);
325 * Return 0 if the user authenticated on `kc' is allowed to login as
330 krb5_userok (kx_context
*kc
, char *user
)
335 ret
= krb5_unparse_name (CONTEXT(kc
), K5DATA(kc
)->client
, &tmp
);
337 krb5_err (CONTEXT(kc
), 1, ret
, "krb5_unparse_name");
340 return !krb5_kuserok (CONTEXT(kc
), K5DATA(kc
)->client
, user
);
344 * Create an instance of an krb5 context.
348 krb5_make_context (kx_context
*kc
)
353 kc
->authenticate
= krb5_authenticate
;
354 kc
->userok
= krb5_userok
;
355 kc
->read
= krb5_read
;
356 kc
->write
= krb5_write
;
357 kc
->copy_encrypted
= krb5_copy_encrypted
;
358 kc
->destroy
= krb5_destroy
;
360 kc
->data
= malloc(sizeof(krb5_kx_context
));
362 if (kc
->data
== NULL
) {
363 syslog (LOG_ERR
, "failed to malloc %lu bytes",
364 (unsigned long)sizeof(krb5_kx_context
));
367 memset (kc
->data
, 0, sizeof(krb5_kx_context
));
368 c
= (krb5_kx_context
*)kc
->data
;
369 ret
= krb5_init_context (&c
->context
);
371 syslog (LOG_ERR
, "failed initialise krb5 context");
377 * Receive authentication information on `sock' (first four bytes
382 recv_v5_auth (kx_context
*kc
, int sock
, u_char
*buf
)
386 krb5_principal server
;
387 krb5_auth_context auth_context
= NULL
;
390 if (memcmp (buf
, "\x00\x00\x00\x13", 4) != 0)
392 len
= (buf
[0] << 24) | (buf
[1] << 16) | (buf
[2] << 8) | (buf
[3]);
393 if (net_read(sock
, buf
, len
) != len
) {
394 syslog (LOG_ERR
, "read: %m");
397 if (len
!= sizeof(KRB5_SENDAUTH_VERSION
)
398 || memcmp (buf
, KRB5_SENDAUTH_VERSION
, len
) != 0) {
399 syslog (LOG_ERR
, "bad sendauth version: %.8s", buf
);
403 krb5_make_context (kc
);
404 krb5_openlog(CONTEXT(kc
), "kxd", &K5DATA(kc
)->log
);
405 krb5_set_warn_dest(CONTEXT(kc
), K5DATA(kc
)->log
);
407 ret
= krb5_sock_to_principal (CONTEXT(kc
), sock
, "host",
408 KRB5_NT_SRV_HST
, &server
);
410 ksyslog (CONTEXT(kc
), ret
, "krb5_sock_to_principal");
414 ret
= krb5_recvauth (CONTEXT(kc
),
419 KRB5_RECVAUTH_IGNORE_VERSION
,
422 krb5_free_principal (CONTEXT(kc
), server
);
424 ksyslog (CONTEXT(kc
), ret
, "krb5_recvauth");
428 ret
= krb5_auth_con_getkey (CONTEXT(kc
), auth_context
, &K5DATA(kc
)->keyblock
);
430 ksyslog (CONTEXT(kc
), ret
, "krb5_auth_con_getkey");
434 ret
= krb5_crypto_init (CONTEXT(kc
), K5DATA(kc
)->keyblock
, 0, &K5DATA(kc
)->crypto
);
436 ksyslog (CONTEXT(kc
), ret
, "krb5_crypto_init");
440 K5DATA(kc
)->client
= ticket
->client
;
441 ticket
->client
= NULL
;
442 krb5_free_ticket (CONTEXT(kc
), ticket
);
444 krb5_auth_con_free(CONTEXT(kc
), auth_context
);